• No results found

Privacy Concern on Mobile App Development

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Privacy Concern on Mobile App Development"

Copied!
35
0
0

Loading.... (view fulltext now)

Download now ( 35 Page )

Full text

(1)

Privacy Concern on

Mobile App Development

Henry Chang, IT Advisor Office of the Privacy Commissioner for Personal Data, Hong Kong 8 January 2015

Privacy Campaign for Mobile App Development

Note: The contents herein are for general reference only. It does not provide an exhaustive guide to the application of the Personal Data (Privacy) Ordinance (“the Ordinance”). For a complete and definitive statement of law, direct reference should be made to the Ordinance itself. The Privacy Commissioner for Personal Data (“the Commissioner”) makes no express or implied warranties of accuracy or fitness for a particular purpose or use with respect to the above information. The contents herein will not affect the exercise of the functions and power conferred to the Commissioner under the Ordinance.

(2)

1

Agenda

(3)

2

• Background

• Data protection principles in apps development • Case studies on privacy-friendly mobile apps

• Best practice guide for mobile app development

(4)

3

The way we were…

(5)

4

Surveys on the top 60 mobile apps

May 2014

• 55% provided privacy

policy

• 15% of the policies that

were tailor-made to apps

• 8% app developers had

not provided sufficient details to identify themselves

May 2013

• 60% provided privacy policy

• 8% of the policies that were

tailor-made to apps

• 60% app developers had not

(6)

5

Free publicity?

(7)

6

(8)

7

(9)

8

(10)

9

(11)

10

Would you use these apps?

(12)

11

(13)

12

(14)

13

(15)

What are the data protection principles?

14

(16)

15

Data Flow and Data Protection Principles (DPPs*)

Personal Data Flow

Collection Storage, Use or Processing Retention/ Erasure

DPP 6 – Rights of access and correction

DPP 5 – Transparency DPP 1 – Collection DPP 3 – Use DPP 2 – Accuracy and retention DPP 4 – Security IT System *http://www.pcpd.org.hk/english/data_privacy_law/ordinance_at_a_Glance/ordinance.html

(17)

16

The Six Data Protection Principles

1. Purpose and Manner of Collection

– Collection must be directly related to purposes, and is lawful, fair, necessary,

adequate and not excessive;

– Inform data subjects of purposes, class of transferees, consequence of not

providing the data, and the rights to access and correction;

– Ask yourself if the purpose of collection on each piece of data can be justified.

2. Accuracy and Duration of Retention

– Data should only be used if it is considered accurate;

– Data should not be kept longer than necessary (including by contractors); – Consider the risk or impact if inaccurate data is used, or data is kept longer

than is required;

– Have you provided means to data subjects to remove their accounts?

3. Use of Personal Data

– Data should only be used for the original purposes unless further consent is

obtained;

– Even if you consider the new use is beneficial to app users, if they have not

been properly informed, you are changing the use and need to seek their consents.

(18)

17

The Six Data Protection Principles

4. Security of Personal Data

– Appropriate security measures to be applied (including by contractors);

– Have you applied appropriate encryption, hashing or masking during storage

and transmission, including the transferal to third parties?

– Assess the adverse impact of any operating system upgrades or features.

5. Information to be Generally Available

– Transparency of personal data policies and practices is needed;

– Is the app-specific privacy policy statement readily accessible before app

installation?

– Even if you do not think you are collecting personal data, you should consider

making it known clearly in a privacy policy statement as smartphone is often considered a very personal device to many.

6. Access to Personal Data

– Ensure mechanism is in place to respect the rights of data subjects for access

(19)

18

Privacy by Design

Privacy by Design* is the philosophy of embedding privacy from the outset into the design specifications of accountable

business processes, physical spaces, infrastructure and information technologies

(20)

19

A clever person solves problem,

a wise person

The essence of Privacy by Design

(21)

20

• Is the access of the information necessary?

• If access is necessary, is there a clear/accessible privacy policy/notice? • If access is necessary, is the uploading of the information necessary?

• If uploading is necessary, is the storage necessary?

• If access is necessary, is the sharing/transferal of the information necessary?

• What other information is being collected/combined/associated? What are the impacts?

• What safeguards (such as encryption and access controls) are in place to the information accessed/transmitted/shared/kept?

• Can mobile user opt-out of any of these and erase accounts?

Privacy by Design – when applying it to app development

(22)

21

Examples

(23)

22

Available before installation

(Nearly) single page and in simple language

Specific to the types of data accessed

Assured users what it would not do

But – don’t copy this…

(24)

23

The good - build your own granular controls

(25)

24

The "room for improvement" – PPS transparency BILLING description matches

with permission sought

Difficult for users to match GET_TASKS to the permission

READ_PHONE_STATUS does not explain anything

Concentrate on permission and neglected business purposes

No explanation on advertising arrangement

(26)

25

Do you really need access to SMS just to use it once?

Access to SMS only for a one-off authentication but leave customers to worry about privacy.

Why not use another means that would not require permission?

(27)

26

(28)

27

Best Practice Guide for Mobile App Development Modular and flow-chart approach

(29)

28

Best Practice Guide for Mobile App Development Legal requirements

(30)

29

Best Practice Guide for Mobile App Development Privacy by Design explained

(31)

30

Best Practice Guide for Mobile App Development Best practice recommendations

(32)

31

Best Practice Guide for Mobile App Development Checklist for self-evaluation

(33)

32

Best Practice Guide for Mobile App Development Transparency

(34)

33

(35)

34 Contact Us q Hotline - 2827 2827  Fax - 2877 7026  Website - www.pcpd.org.hk  E-mail - [email protected]

 Address - 12/F, Sunlight Tower, 248 Queen’s Road East, Wanchai, HK

© Office of the Privacy Commissioner for Personal Data, 2015

The above PowerPoint may not be reproduced without the written consent of the Office of the Privacy Commissioner for Personal Data.

References

Download now ( PDF - 35 Page - 2.51 MB )

Related documents

Category 2 List of Authorised Accomodation for visitors from permitted countries as at

Marie Laure Suites (Self Catering) Self Catering 14 Mr. Richard Naya Mahe Belombre 2516591 [email protected] 61 Metcalfe Villas Self Catering 6 Ms Loulou Metcalfe

The Effectiveness of Onion Extract Allium sativum to Prevent Koi Herpesvirus (KHV) Infection on Common Carp Cyprinus carpio

Sedangkan pemberian ekstrak bawang putih pada pakan dengan dosis 30 gr/100ml belum mampu meningkatkan ketahanan tubuh ikan mas terhadap serangan KHV yang didukung

Urraca I: the image of a queen through the chronicles of her time and the royal documents.

la participación activa de las mujeres en todos los procesos sociales y culturales, aunque no ha sido valorada ni destacada por la Historia tradicional, que insiste en las

ACRL Law & Political Science Section Annual Program American Library Association Saturday, June 25th 2011

Highlights Federal and BP actions taken in light of April 20, 2010, explosion of the Deepwater Horizon offshore drilling rig and resulting Gulf of Mexico oil spill.. Addresses

Production potential of rubberwood in Malaysia: Its economic challenges

Although the government is support- ing the rubber industry through the provision of subsi- dies to encourage replanting, without a long-term policy framework to boost the

The provision of full ownership rights to Soweto households as a government service delivery priority in the new dispensation

The urban land conversion of tenure rights is said to be neglected in the post-apartheid South Africa in terms of publicity and being documented, as government communicators

Air Flow Process Control

There are different methods of controller tuning such as Ziegler-Nichols method which is used and applied in this experiment. The values of parameter given during this experiment are

Grip Rite Truck Box Mounting System Instructions

Pretty much does the truck mounting system instructions and the implied by them below to provide one credit card agreement.. credit score needed for mortgage approval zoznam